I recently purchased a Thinkpad laptop, model P14s with AMD Ryzen CPU.
Before installing F41 (Workstation edition, via USB key) I noticed that Secure Boot was enabled so I could not boot on the install USB key (which was expected).
I disabled Secure Boot, installed F41 fine and noticed that the security report in Gnome settings showed warnings regarding kernel lockdown and secure boot.
If I enable again Secure Boot in the UEFI, laptop won’t boot (makes sense).
I have read that Fedora signs the kernel, so my question is simply: how can I register (enroll) the default Fedora keys in the UEFI keys database ? (without removing existing keys and, above all, not removing Microsoft keys as they are required for some components of the laptop).
I understand the basic theory of Secure Boot but I am not sure how to set it up myself on Fedora and looking for a clear answer.
It should not be necessary to enroll a key for Fedora. AFAIK, Fedora uses a shim.efi binary that is signed by Microsoft and should therefore meet the requirements for Secure Boot. This will then verify the GRUB efi binary, launch that, which in turn will boot the kernel.
Does your boot entry point the shim.efi or to GRUB’s binary?
Stupid me !!!
For the record, if anyone is as stupid as me (unlikely ), there is an option in the Lenovo UEFI (under Security => Secure Boot) to “Allow Microsoft 3rd party UEFI CA”.
I have not noticed it yesterday during initial installation but @l-c-g , your question pointed me in the right direction ! Thank you !
@yuntaz Thank you for the link, I search this forum yesterday evening and this post was just posted a few hours later . It could have been the right answer
), there is an option in the Lenovo UEFI (under Security => Secure Boot) to “Allow Microsoft 3rd party UEFI CA”.